I was trying to find something similar in JBoss. I see one could probably restrict http access via Tomcat valves. But is there any underlying security policy /file where one can define a restrictive set of hostnames/ and or subnets?

Something close I found was the bind address property, but this is for services to bind to all IPs on the machine. And so, it seems to me the scope of this is to allow all IPs from the host machine, and not control which clients it will allow.